Introduction to ASP.NET security
In ASP.NET, there are two closely interlinked concepts for the security of applications, one is authentication and another is Authorization. In the authentication process, some sort of identification is obtained from the users and using that identification to verify the user’s identity. In authorization process is to allow an authenticated user access to resources. The authentication process always proceeds to the Authorization process. In this topic, we are going to learn about ASP.NET security.
Authentication of ASP.NET security
In asp.net there are many different types of authentication procedures for web applications. If you want to specify your own authentication methods, then that also is possible. The different modes are accepted through settings that can be applied to the application’s web.config file. The web.config file is XML based file which allows users to change the behavior of the asp.net easily. In asp.net there are three different authentication providers as windows authentication, Forms authentication, and passport authentication.
1. Windows authentication
This authentication provider is the default provider for asp.net. It authenticates the users based on the user’s windows accounts. windows authentication relies on the IIS to do the authentication. IIS can be configured so that only users on the Windows domain can log in. If users attempt to access a page and is not authenticated, then the user will be shown a dialogue box that asks the user to enter their username and password. Then this information is passed to the webserver and checked against the list of users in the domain. Based on the result the access is granted to the user.
To use windows authentication, the code is as follows
<authentication mode = "Windows"/>
<allow users = "*"/>
there are four options in windows authentication that can be configured in IIS
- Basic authentication: In this, windows user name and password have to be provided to connect. This information is sent over the network in plain text and hence this is an insecure kind of authentication.
- Integrated windows authentication: In this, the password is not sent across the network and some protocols are used to authenticate users. It provides the tools for authentication and strong cryptography is used to help to secure information in systems across the entire network.
- Anonymous authentication: In this, IIS does not perform any authentication check and allows access to any user to the asp.net application.
- Digest authentication: It is almost the same and basic authentication but the password is hashed before it is sent across the network.
2. Forms authentication
It provides a way to handle the authentication using your own custom logic within the asp.net application. When the user requests a page for the application, asp.net checks for the presence of a special session cookie. If the cookie is present, asp.net assumes that the user is authenticated and processes the request. If the cookie is not present, asp.net redirects the user to a web form you provide. When the user is authenticated process the request and indicates this to asp.net by setting a property, which creates the special cookie to handle the subsequent requests.
To use form authentication, the code is as follows
<authentication mode = "Forms">
< forms loginUrl = "login.aspx" name = "loginform">
<deny users = "?" />
3. Passport authentication
It allows using Microsoft’s passport service to authenticate users of your application. If your users have signed up with a passport and you are having the authentication mode of the application as passport authentication, then all authentication duties are offloaded to the passport servers. It uses an encrypted cookie mechanism to indicate the authenticated users. If users have already signed into passports when they visit the site, then they will be considered as authenticated by asp.net. Otherwise, they will be redirected to the passport servers to log in. when they are successfully logged in them only they will be redirected back to your website.
To use passport authentication, the code is as follows
<authentication mode = "Passport">
<passport RedirectionUrl = "login.aspx" />
Authorization of ASP.NET security
Authentication and authorizing are two interconnected security concepts. Authorization is the process of checking whether the user has access to the resources they requested. In asp.net, there is two forms of authorization available, one is file authorization and another is URL authorization.
- File authorization: File authorization is performed by the FileAuthorizationModule. It uses the ACL (Access Control List) of the .aspx to resolve whether a user should have access to the file. ACL permissions are confirmed of the user’s windows identity.
- URL authorization: In web.config file you can specify the authorization rules for various directories or files using <authorization> element.
Syntax is as follows
<allow users = "SwatiTawde"/>
<deny users = "*"/>
This code will allow user SwatiTawde and deny all other users to access that application. If you want to give permission for more users then just add usernames separated with a comma like SwatiTawde, eduCBA, edu, etc. and if you want to allow only admin roles to access the application and deny permission for all the roles, then write the following code in web.config
<allow roles = "Admin"/>
<deny users = "*"/>
This is a guide to ASP.NET security. Here we have discussed the two main concepts of asp.net security is authentication and authorization with their syntax. You may also have a look at the following articles to learn more –